Jump to content
OllieMackJames

Hann Code 403 Error Code

Recommended Posts

When I access hanna code and try to save something I get a "403 Forbidden Access to this resource on the server is denied!" error.

I am on a centos litespeed VPS with latest pw and latest hanna code module
 

Anybody have any ideas?

 

Share this post


Link to post
Share on other sites

In most cases (probably all I've heard of so far) this type of issue is caused by the security settings on the host, mod_security (ModSecurity) module, etc.

LiteSpeed apparently has its own WAF feature, so that's probably where I'd start digging into this; is something like that enabled, have you recently made any changes on the host, or could the host have been updated by someone else? Has this worked before?

  • Like 3

Share this post


Link to post
Share on other sites

@teppo thanks for your thoughts.

This has worked before, and fortunately the code still works, but when I try to change anything and save, it throws this error.

I changed VPS recently and moved from freebsd to centos with litespeed and different security settings on the host than before, so this must indeed be the problem.

The error screen indeed shows litespeed at the bottom, so it seems like a server thing rather than a processwire thing.

Now the big question is what do I need to change where so it will work again.

What is it in Hanna Code that triggers WAF, any ideas?

Thanks again teppo.
 

Share this post


Link to post
Share on other sites
13 minutes ago, OllieMackJames said:

What is it in Hanna Code that triggers WAF, any ideas?

It's not so much about Hanna Code specifically, but rather posting (obvious) code via any web form. ModSecurity and different WAF implementations may detect this and assume malicious intent, which is problematic here since we actually want (authenticated) users to be able to post code.

The easiest thing to do would be disabling this feature altogether, either globally or at htaccess level for a specific site. I'm not familiar with this solution so I've no idea if there's some way to keep it on for most users and/or just disable parts of it, but you may find more about that from the LiteSpeed manual.

Edit: at least in Apache you can wrap <IfModule></IfModule> with <Directory /some/path/on/disk/></Directory>, which might help to selectively disable this feature. And it's also possible to check if a cookie exists, in which case you could sniff for a "wires" cookie first, though I've never tested this in practice and don't know if those will work together.

Edited by teppo
  • Like 2

Share this post


Link to post
Share on other sites

I'd run this check to see if mod_sec is running first and if so, then you can figure out how to disable it.

image.png.2db6b69fa42544b13ad5c0c3bd5915bc.png

  • Like 2

Share this post


Link to post
Share on other sites

I have a hosting account that runs litespeed, and i use this snippet in the .htaccess, which was recommended by Ryan.

<IfModule security2_module>
    # Allow ModSec rule processsing without disruptive action
    SecRuleEngine DetectionOnly
    SecFilterEngine Off
    SecFilterScanPOST Off
</IfModule>

 

 

  • Like 1

Share this post


Link to post
Share on other sites
3 hours ago, Macrura said:

I have a hosting account that runs litespeed, and i use this snippet in the .htaccess, which was recommended by Ryan.


<IfModule security2_module>
    # Allow ModSec rule processsing without disruptive action
    SecRuleEngine DetectionOnly
    SecFilterEngine Off
    SecFilterScanPOST Off
</IfModule>

 

 

Thanks @Macrura unfortunately that did not work for me, where did you put this in your htaccess?

Thanks

Share this post


Link to post
Share on other sites

I put it as first thing

  • Like 1

Share this post


Link to post
Share on other sites
12 hours ago, Macrura said:

I put it as first thing

Thanks @Macrura, sorry to bother, but is that in root htaccess or in site?

Funny thing is that hanna code allows me to save as long as there is no php code in there

Share this post


Link to post
Share on other sites

in root; you can also exclude certain rules , ill check some of the other sites

Share this post


Link to post
Share on other sites

On one of the sites, the host put this in, so if you figure out the ID of which rule is being triggered, you would add this, in addition to the more general snippet.

<LocationMatch "/">
        SecRuleRemoveById 77218500
</LocationMatch>

If you have access to the Formbuilder forum, there are around 4-5 posts about this similar issue with various examples of htaccess rules, remove by ID etc.

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now

  • Recently Browsing   0 members

    No registered users viewing this page.

×
×
  • Create New...